The occurrence of a data breach is always a stressful experience that usually results in reputational damage and direct and indirect costs for the organization that can continue for months, even years.
Find out what are your obligations as an organization when it comes to reporting a data breach to data protection authority, and when you are obligated to notify individuals.
What is a personal data breach?
A personal data breach is a security breach that can lead to accidental or deliberate loss, destruction, corruption, unauthorized disclosure, or alteration of personal data that can cause material or non-material damages to individuals.
The most important part of this definition is that it has to involve personal data because, while all personal data breaches are security incidents, not all security incidents are necessarily personal data breaches!
A personal data breach means your organization is unable to ensure compliance with the GDPR and principles relating to the processing of personal data (Article 5).
Differentiating security incidents from personal data breaches will help you decide whether you are obligated to report a specific incident to the supervisory authority or not.
You are only obligated to report a breach concerning personal information and only in certain situations.
How likely is a data breach going to affect personal data?
According to the “Cost of a Data Breach Report“, PII was the most often type of data lost or stolen in breaches (80%). However, if you take the necessary steps, prepare and react fast, you can at least contain data breach costs, show cooperation with the data protection authority, and save the company reputation.
One of the ways you can contain the financial and reputational damages of a data breach is by having an incident response plan and reporting it on time.
How to decide whether you should notify the supervisory authority?
We advise you to conduct a risk assessment and consider different ways in which the data breach can affect individuals when assessing the impact.
When a personal data breach occurs, you will have to assess the severity of potential risks for an individual’s rights and freedoms.
- If a data breach presents a risk to the rights and freedoms of individuals, then you must notify the supervisory authority.
- If it is highly unlikely that the breach would affect personal data, then you are not obligated to report it.
Recital 75 can help you clarify what is considered a potential risk to an individual’s rights and freedoms. The safe approach is to report every personal data breach unless they are unlikely to result in a risk to the rights and freedoms of individuals.
The GDPR states that if any personal data breach occurs, the organization needs to immediately, no later than 72 hours after becoming aware of a personal data breach, notify the competent national supervisory authority, or in the case of a cross-border breach, to the lead authority. (Article 33)
Where the notification to the supervisory authority is not made within 72 hours, you will have to name the reasons for the delay.
However, it doesn’t hurt to check in with the SA since you can get valuable information, including information on whether you should inform the affected individuals.
You can find the list of all data protection authorities that supervise the application of the data protection law and find out how you can report a data breach:
Should you notify individuals about the personal data breach?
You are obligated to inform the individuals about the breach without undue delay if it is likely to result in a high risk to their rights and freedoms. (Article 34)
Risks to the rights and freedoms of individuals
A personal data breach can result in physical, material or non-material damage to individuals such as:
- Loss of control over their personal data
- Limitation of their rights
- Identity theft or fraud
- Financial loss
- Unauthorized reversal of pseudonymization
- Damage to reputation
- Loss of confidentiality
- or any other significant economic or social disadvantage to the natural person concerned. Recital 85
Understanding how breach impacts individuals and what kind of damage it can cause can help you decide whether you are obligated to notify individuals or not.
The obligation to contact individuals will have to be assessed for each case individually.
The safest way to be sure you are compliant is to ask for guidance and direction from your national supervisory authority.
When are you not obligated to notify individuals?
There are a few situations where you will not be obligated to notify individuals about personal data breaches:
- You have implemented appropriate technical and organizational measures to protect data, and those measures were applied to the personal data affected by the data breach. For example, measures that render the personal data unintelligible to any person who is not authorized to access it, such as encryption
- You have taken subsequent measures which ensure that the high risk to the rights and freedoms of individuals is no longer likely
- If notifying individuals would involve a disproportionate effort. In that case, you should issue a public statement or similar measure.
Be careful when relying on the disproportionate measure since there is a lack of a clear definition of the term in the GDPR, leaving it open to different interpretations by the supervisory authority.
WP29 EXAMPLE #1
If personal data is unintelligible to unauthorized parties (using an encryption key that was not compromised) a confidentiality breach involving properly encrypted personal data may not need to be notified to the supervisory authority.
This is because such a breach is unlikely to pose a risk to individuals’ rights and freedoms.
WP29 EXAMPLE #2
Where personal data are already publically available, and disclosure of such data does not constitute a likely risk to the individual.
When assessing the risk, you should consider both the likelihood and severity of the risk to the rights and freedoms of data subjects.
Regardless of your assessment and outcome of the decision, you should document it since it will make it easier for you to justify it if necessary.
What information should notification to individuals include?
Notification to the data subjects should include all information that you have reported to the data protection authority.
Besides explaining the nature of the personal data breach, you should notify individuals about the name and contact details of your DPO (or other contact points), a description of the possible consequences of the breach, and the description of the measures taken to resolve the occurred situation with the breach.
- Description of the nature of the breach;
- The name and contact details of the data protection officer or other contact points;
- Description of the likely consequences of the breach;
- Description of the measures taken or proposed to be taken by the controller to address the breach
One of the reasons individuals need to be aware of the breach is to help them protect themselves from the consequences of the breach.
What should data breach notification to supervisory authority include?
- Describe the nature of the personal data breach, including, (where possible) the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
- Include the name and contact details of the DPO or any other contact of the person involved in the process, who can be reached regarding additional information;
- Describe the possible effects of the personal data breach;
- Describe the measures you are taking to address the breach.
The GDPR does not define categories of data subjects or personal data records that should be specified in the notification.
However, it is advised to define categories of data subjects whose personal data has been affected by a breach, like children, people with disabilities, or employees. The same goes for special categories of data.
If you do not know all information that notification requires, do not let that keep you from reporting a breach.
You can always fill in the information later on. The focus should always be on containing the damages and protecting individuals, numbers are there to help us grasp the magnitude of the breach.
What is the role of the data processors?
The GDPR requires both controllers and processors to have appropriate technical and organizational measures in place, to ensure a level of security appropriate to the risk posed to the personal.
The processor is obligated to notify the controller without undue delay after becoming aware of a personal data breach.
If you are cooperating with data processors, you need to sign a contract between you as a data controller and them as your processor. All the requirements on breach reporting should be put in the contract and described in detail.
Data processors must assist data controllers in notifying data breaches or in conducting a Data Protection Impact Assessment (DPIA).
Proper breach procedures require data processors to understand what constitutes a data breach and react according to their responsibilities.
According to the Cost of a Data Breach Report, if you have an Incident Respons team and IR plan, you can lower the cost of a data breach by as much as $2 million.
That is a great indicator of how preparing and planning can make a huge financial difference for the organization.
Make sure to develop your internal policies and procedures related to dealing with the occurrence of personal data breaches.
You can standardize operational procedures for data breaches, and they will help you guide your way during personal data breach incidents.
You should always know what needs to be done before, during, and after the occurrence of the data breach.
The standard operating procedure needs to set the risk profile of personal data in each section of the data controller’s system and provide the details necessary to enable the controller to conduct the steps of the risk assessment.
Think about your overall GDPR compliance. If you haven’t already, you should have a compliant record of processing activities, third-party management, data subject requests, and consent management to begin with. You can try how this works with our privacy software: